More than a dozen members of the Evil Corp cybercriminal group have been slapped with financial sanctions led by the UK’s National Crime Agency. The announcement coincides with a fresh intelligence profile about the Russian-backed organization.
Tuesday’s sanctions by the NCA target sixteen members of the organized criminal syndicate, with the US and Australia issuing another eight sanctions in total against the group, which include asset freezes and travel bans.
It’s all in coordination with the NCA’s release of a detailed dossier depicting the historic ins and outs of what many security insiders consider to be one of the ‘OG ransomware gangs’ operating with full support from the Russian government.
UK’s Foreign Secretary David Lammy said it was his “personal mission to target the Kremlin with the full arsenal of sanctions at our disposal.”
"Putin has built a corrupt mafia state with himself at its center. We must combat this at every turn, and today’s action is just the beginning,” Lammy said, adding that Tuesday’s sanctions “send a clear message to the Kremlin that we will not tolerate Russian cyberattacks - whether from the state itself or from its cybercriminal ecosystem."
The eight-page report, titled “Evil Corp: Behind the Screens,” illustrates a timeline of the group’s activities from its initial inception by head Maksim Yakubets as the Jabber Zeus Crew in 2007 to its official designation as Evil Corp in 2014 and its nefarious criminal endeavors in 2024.
The NCA described Evil Corp’s trajectory from a family-centered financial crime group in Moscow to a booming cybercrime outfit responsible for extorting at least $300 million from victims worldwide in healthcare, critical national infrastructure, and government, among other sectors.
“Maksim took this family business into the 21st century, bringing his father (Viktor Yakubets), brother (Artem), and cousins (Kirill and Dmitry Slobodskoy) along with him,” branching out from the family’s money laundering ties into a prolific cybercrime organzation, the NCA report said.
Yakubets has evaded capture by Western authorities since he was indicted and sanctioned in 2019 by the US government, along with a $5 million bounty issued for information leading to his arrest.
Now, all four relatives and Evil Corp members have been sanctioned, including one of the group’s administrators, Igor Turashev, and Maksim Yakubets' father-in-law, Eduard Benderskiy, a former high-ranking FSB official.
Further Evil Corp cyber criminals exposed following NCA investigation, one unmasked as LockBit affiliate, as UK, US and Australia unveil sanctions.
undefined National Crime Agency (NCA) (@NCA_UK) October 1, 2024
Read the full story ➡️ https://t.co/MVHye4QU2T pic.twitter.com/VcXP2PquyU
Russian safety net is wide
Since the Lamborghini-driving ringleader made the FBI's most wanted list in 2019, Yakubets has kept himself hidden within Russia’s borders while enjoying a lavish lifestyle under the protection of all three major Russian intelligence agencies.
"He's roaming free in Russia, and he's not in prison, and Russia is taking no steps to arrest him," Irina Tsukerman, a geopolitical analyst specializing in cybersecurity, told Cybernews in 2022.
The NCA portrays Evil Corp as having gone “far beyond the typical state-criminal relationship of protection, payoffs and racketeering” with Moscow.
It had also been discovered that before 2019, Evil Corp was actually tasked by Russian Intelligence Services to conduct cyberattacks and espionage operations against NATO allies.
Known for developing variants such as Dridex and GameOver Zeus, an Evil Corp profile by Mandiant threat researchers in 2019 linked the group to numerous other ransomware variants, including BitPaymer, Dopplepaymer, Wasttedlocker, and Hades.PheonixLocker, and Hades.PayLoadBin.
After its inner workings and ransomware variants were exposed by Mandiant and others, the cartel seemingly took steps to change up its ransomware toolkit and was even suspected of changing its name to distance itself from negative publicity, including the possible rebranding to the ransomware group named UNC2165.
In 2023, some of its members, operating under the DoppelPaymer ransomware moniker, were busted up and their servers seized by German and Ukrainian authorities.
Evil Corp and LockBit connection
The NCA’s bold move follows further announcements on Tuesday about the arrest of four LockBit ransomware gang actors in conjunction with Europol, the FBI, and at least a dozen other EU nations, including the UK agency.
The LockBit arrest reveal also included news of an unsealed indictment by the US Department of Justice against high-ranking Evil Corp member Aleksandr Ryzhenkov, aka “Beverley,” apparently moonlighting as an affiliate for the LockBit group in his spare time.
Labeled by the NCA as "a prolific affiliate of LockBit and strongly linked to Evil Corp,” Ryzhenkov is said to be the right-hand man for Evil Corp’s leader Maksim Yakubets.
"The action announced today has taken place in conjunction with extensive and complex investigations by the NCA into two of the most harmful cybercrime groups of all time, said James Babbage, Director General for Threats at the NCA.
"These sanctions expose further members of Evil Corp, including one who was a LockBit affiliate, and those who were critical to enabling their activity, he added.
You can read more about Tuesday’s LockBit arrests, servers seized, and unsealed indictments in Cybernews’ coverage of the third phase of Operation Cronos – an ongoing international effort to dismantle the infamous ransomware group, which was launched in February.
Ryzhenkov is said to have personally been involved in carrying out at least 60 LockBit attacks in the US using BitPaymer, one of Evil Corp’s signature ransomware variants, and collecting over $100 million from victims.
"Today's charges against Ryzhenkov detail how he and his conspirators stole the sensitive data of innocent Americans and then demanded ransom," said US Deputy Attorney General Lisa Monaco.
"With law enforcement partners here and around the world, we will continue to put victims first and show these criminals that, in the end, they will be the ones paying for their crimes," Monaco said.
Your email address will not be published. Required fields are markedmarked